CSP: Permit exempting schemes only for certain policy areas.

public/web/WebSecurityPolicy.h

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 49 matching lines @@
     // Registers a URL scheme to not generate mixed content warnings when
     // included by an HTTPS page.
     BLINK_EXPORT static void registerURLSchemeAsSecure(const WebString&);
 
     // Registers a non-HTTP URL scheme which can be sent CORS requests.
     BLINK_EXPORT static void registerURLSchemeAsCORSEnabled(const WebString&);
 
     // Registers a URL scheme whose resources can be loaded regardless of a page's Content Security Policy.
     BLINK_EXPORT static void registerURLSchemeAsBypassingContentSecurityPolicy(const WebString&);
 
+    // Registers a URL scheme for which some kinds of resources bypass Content Security Policy.
+    // This enum should be kept in sync with Source/platform/weborigin/SchemeRegistry.h.

[Mike West, 2014/11/18 20:35:46]

Can you add something to Source/web/AssertMatchingEnums.cpp to verify that this
is kept up to date?

+    enum PolicyAreas : uint32_t {
+        PolicyAreaNone = 0,
+        PolicyAreaImage = 1 << 0,
+        PolicyAreaStyle = 1 << 1,
+        // Add more policy areas as needed by clients.
+        PolicyAreaAll = ~static_cast<uint32_t>(0),
+    };
+    BLINK_EXPORT static void registerURLSchemeAsBypassingContentSecurityPolicy(const WebString& scheme, PolicyAreas);
+
     // Registers a URL scheme as strictly empty documents, allowing them to
     // commit synchronously.
     BLINK_EXPORT static void registerURLSchemeAsEmptyDocument(const WebString&);
 
     // Support for whitelisting access to origins beyond the same-origin policy.
     BLINK_EXPORT static void addOriginAccessWhitelistEntry(
         const WebURL& sourceOrigin, const WebString& destinationProtocol,
         const WebString& destinationHost, bool allowDestinationSubdomains);
     BLINK_EXPORT static void removeOriginAccessWhitelistEntry(
         const WebURL& sourceOrigin, const WebString& destinationProtocol,
         const WebString& destinationHost, bool allowDestinationSubdomains);
     BLINK_EXPORT static void resetOriginAccessWhitelists();
 
     // Returns the referrer modified according to the referrer policy for a
     // navigation to a given URL. If the referrer returned is empty, the
     // referrer header should be omitted.
     BLINK_EXPORT static WebString generateReferrerHeader(WebReferrerPolicy, const WebURL&, const WebString& referrer);
 
     // Registers an URL scheme to not allow manipulation of the loaded page
     // by bookmarklets or javascript: URLs typed in the omnibox.
     BLINK_EXPORT static void registerURLSchemeAsNotAllowingJavascriptURLs(const WebString&);
 
 private:
     WebSecurityPolicy();
 };
 
 } // namespace blink
 
 #endif